ISO 27001 implementation: turn security into audited trust.
We build your ISMS with a technical, operational approach: gap analysis, risk assessment, SoA, internal audit, and certification support—leaving you “audit-ready” with clear evidence and ownership.
Approach
Control + evidence + technical execution
Deliverables
SoA, risks, internal audit, backlog
Outcome
Audit-ready ISMS for certification
ISO 27001 isn’t “documentation”—it’s security operations.
Certification requires a living system: risk decisions, implemented controls and repeatable evidence. We combine consulting with technical delivery so your ISMS doesn’t stay on paper.
Certification without friction
A phased delivery with auditable outputs. We reduce iteration cycles and the typical ISMS bottlenecks.
Technical + governance approach
Not just “paper”: we implement controls in IAM, logging, hardening, M365, backups, suppliers and SDLC.
Alignment with NIS2 / DORA / ENS
We map ISMS evidence to regulatory obligations to reduce duplication and accelerate audits.
ISO 27001 implementation process
Clear phases to reach certification with evidence, ownership, and closure.
Scope, context & objectives
Define perimeter, processes, sites, critical suppliers and audit criteria.
Gap analysis (ISO 27001:2022)
Clause and Annex A gaps, quick wins and a prioritized backlog.
Risks + SoA
Risk model, treatment, and SoA with evidence and accountable owners.
Technical & operational implementation
Real controls: IAM/MFA, hardening, logging, backups, DR, SDLC, suppliers.
Internal audit & closure
Execution, nonconformities and corrective actions with re-evidence.
Certification
Support in Stage 1/Stage 2 and stabilization of the continuous improvement cycle.
Annex A (ISO 27001:2022): 4 domains
We structure delivery by domains so the ISMS is implementable and auditable.
37 controls
Organizational
Policies, third parties, asset management, cloud security and governance.
8 controls
People
Lifecycle, awareness, roles, confidentiality and access.
14 controls
Physical
Perimeters, facilities, equipment and media protection.
34 controls
Technological
Identity, crypto, hardening, vulnerabilities, logging and secure development.
Deliverables that close audits
ISO 27001 is won with evidence: risks, SoA, operational control and internal audit. We leave you with a maintainable ISMS, backlog and owners to sustain continual improvement.
Gap analysis + project plan
Baseline assessment, risks, control gaps and a phased roadmap.
Complete ISMS set (policies + procedures)
Minimum viable documentation that is operational and tailored to your business.
Risk assessment & treatment
Method, risk register, treatment plans and acceptance.
SoA (Statement of Applicability)
Applicability, justifications, evidence and audit traceability.
Internal audit + corrective action plan
Nonconformities, observations and closure plan with owners.
Certification support
Preparation, evidence review and support through the external certification audit.
Frequently asked questions
How long does ISO 27001 certification usually take?
It depends on maturity and scope. A typical project runs 3–6 months for implementation, plus internal audit and then certification. We tailor the plan based on scope, number of sites, and criticality.
What’s the difference between ISO 27001:2013 and ISO 27001:2022?
The 2022 revision updates the control set and reorganizes Annex A to reflect modern practices (e.g., cloud security and configuration management) and clearer operational language.
What is the SoA (Statement of Applicability)?
It’s the document that states which Annex A controls apply, how they are implemented, and why any are excluded. It is central to audit traceability.
Do you include an ISO 27001 internal audit?
Yes. We run a full internal audit (checklists, evidence review, nonconformities and corrective action plan) and leave the ISMS in an audit-ready state.
Can ISO 27001 be certified for cloud environments (AWS/Azure/GCP)?
Yes—this is common. We define the ISMS scope and translate controls into cloud practices (IAM, logging, hardening, configuration, encryption, resilience, third parties) with verifiable evidence.
Can you support tenders and supplier due diligence?
Yes. We prepare reusable evidence packs and response templates for security questionnaires, due diligence, and third-party requirements, and we support the certification audit itself.
Do you implement ISO 27001 for companies in Madrid?
Yes. We work with organizations in Madrid and across Spain. When the client prefers, we coordinate on-site sessions for kick-off, steering committees, internal audit or Stage 1/2 preparation. See the local angle on the ISO 27001 in Madrid page.
Can I rely on an external CISO during ISO 27001 implementation?
Yes, and it's often a strong fit. With a virtual CISO (vCISO) service we cover the security leadership role — governance, risk, steering committee, auditor liaison — while the implementation project runs with the technical team. Especially useful when the organization doesn't have a dedicated CISO yet.
Can ISO 27001 be reused for ENS, NIS2 or DORA?
Yes. If the ISMS is designed with traceable evidence (control → procedure → record), a large part of the ISO 27001 work can be reused across ENS, NIS2 and DORA without rewriting documentation. We walk through the overlaps, gaps and sequencing in the ENS vs ISO 27001 vs NIS2 vs DORA comparison.
How does ISO 27001 relate to PCI DSS?
They are compatible and often stacked. ISO 27001 provides a reusable ISMS baseline (governance, risk, SoA, evidence). PCI DSS v4.0.1 adds the specific control set required inside the cardholder data environment (CDE) — network segmentation, file integrity, key management, quarterly ASV scans, RoC or SAQ attestation. An ISMS designed with traceable evidence makes the PCI DSS audit path significantly shorter, because many general controls (access, logging, supplier management, training) already sit in the SoA.
Ready to certify ISO 27001?
Get a phased plan, auditable evidence and support through certification.